Healthcare Information Technology

Healthcare Threat Detections Up 45% in Q3 and 60% Higher Than 2018

Posted by HIPAA Journal

Cyberattacks on healthcare organizations have increased in frequency and severity in the past year, according to recently published research from Malwarebytes.

In its latest report – Cybercrime Tactics and Techniques: The 2019 State of Healthcare – Malwarebytes offers insights into the main threats that have plagued the healthcare industry over the past year and explains how hackers are penetrating the defenses of healthcare organizations to gain access to sensitive healthcare data.

Cyberattacks on healthcare organizations can have severe consequences. As we have seen on several occasions this year, attacks can cause severe disruption to day to day operations at hospitals often resulting in delays in healthcare provision. In at least two cases, cyberattacks have resulted in healthcare organizations permanently closing their doors and a recent study has shown that cyberattacks contribute to an increase in heart attack mortality rates. Even though the attacks can cause considerable harm to patients, attacks are increasing in frequency and severity.

Malwarebytes data shows the healthcare industry was the seventh most targeted industry sector from October 2018 to September 2019, but if the current attack trends continue, it is likely to be placed even higher next year.

Healthcare organizations are an attractive target for cybercriminals as they store a large volume of valuable data in EHRs which is combined, in many cases, with the lack of a sophisticated security model. Healthcare organizations also have a large attack surface to defend, with large numbers of endpoints and other vulnerable networked devices. Given the relatively poor defenses and high value of healthcare data on the black market it is no surprise that the industry is so heavily targeted.

Detection of threats on healthcare endpoints were up 45% in Q3, 2019, increasing from 14,000 detections in Q2 to 20,000 in Q3. Threat detections are also up 60% in the first three quarters of 2019 compared to all of 2018.

Many of the detections in 2019 were Trojans, notably Emotet in early 2019 followed by TrickBot in Q3. TrickBot is currently the biggest malware threat in the healthcare industry. Overall, Trojan detections were up 82% in Q3 from Q2, 2019. These Trojans give attackers access to sensitive data but also download secondary malware payloads such as Ryuk ransomware. Once data has been stolen, ransomware is often deployed.

Trojan attacks tend to be concentrated on industry sectors with large numbers of endpoints and less sophisticated security models, such as education, the government, and healthcare.  Trojans are primarily spread through phishing and social engineering attacks, exploits of vulnerabilities on unpatched systems, and as a result of system misconfigurations. Trojans are by far the biggest threat, but there have also been increases in detections of hijackers, which are up  98% in Q3, riskware detections increased by 85%, adware detections were up 34%, and ransomware detections increased by 15%.

Malwarebytes identified three key attack vectors that have been exploited in the majority of attacks on the healthcare industry in the past year: Phishing, negligence, and third-party supplier vulnerabilities.

Due to the high volume of email communications between healthcare organizations, doctors, and other healthcare staff, email is one of the main attack vectors and phishing attacks are rife. Email accounts also contain a considerable amount of sensitive data, all of which can be accessed following a response to a phishing email. These attacks are easy to perform as they require no code or hacking skills. Preventing phishing attacks is one of the key challenges faced by healthcare organizations.

The continued use of legacy systems, that are often unsupported, is also making attacks far too easy. Unfortunately, upgrading those systems is difficult and expensive and some machines and devices cannot be upgraded. The problem is likely to get worse with support for Windows 7 coming to an end in January 2020. The sow rate of patching is why Malwarebytes is still detecting WannaCry ransomware infections in the healthcare industry. Many organizations have still not patched the SMB vulnerability that WannaCry exploits, even though a patch was released in March 2017.

Negligence is also a key problem, often caused by the failure to prioritize cybersecurity at all levels of the organization and provide appropriate cybersecurity training to employees. Malwarebytes notes that investment in cybersecurity is increasing, but it often doesn’t extend to brining in new IT staff and providing security awareness training.

As long as unsupported legacy systems remain unpatched and IT departments lack the appropriate resources to address vulnerabilities and provide end user cybersecurity training, cyberattacks will continue and the healthcare industry will continue to experience high numbers of data breaches.

The situation could also get a lot worse before it gets better. Malwarebytes warns that new innovations such as cloud-based biometrics, genetic research, advances in prosthetics, and a proliferation in the use of IoT devices for collecting healthcare information will broaden the attack surface even further. That will make it even harder for healthcare organizations to prevent cyberattacks. It is essential for these new technologies to have security baked into the design and implementation or vulnerabilities will be found and exploited.

The post Healthcare Threat Detections Up 45% in Q3 and 60% Higher Than 2018 appeared first on HIPAA Journal.

Smartwatch Data Act Introduced to Improve Privacy Protections for Consumer Health Data

Posted by HIPAA Journal

The Stop Marketing And Revealing The Wearables And Trackers Consumer Health (Smartwatch) Data Act, has been introduced by Sens. Bill Cassidy, M.D., (R-Louisiana) and Jacky Rosen, (D-Nevada). The new legislation will ensure that health data collected through fitness trackers, smartwatches, and health apps cannot be sold or shared without consumer consent.

The Health Insurance Portability and Accountability Act (HIPAA) applies to health data collected, received, stored, maintained, or transmitted by HIPAA-covered entities and their business associates. Some of the same information is collected, stored, and transmitted by fitness trackers, wearable devices, and health apps. That information can be used, shared, or sold, without consent. Consumers have no control over who can access their health data. The new legislation aims to address that privacy gap.

The bill prohibits the transfer, sale, sharing, or access to any non-anonymized consumer health information or other individually identifiable health information that is collected, recorded, or derived from personal consumer devices to domestic information brokers, other domestic entities, or entities based outside the United States unless consent has been obtained from the consumer.

Consumer devices are defined as “equipment, application software, or mechanism that has the primary function or capability to collect, store, or transmit consumer health information.”

The Smartwatch Data Act applies to information about the health status of an individual, personal biometric information, and kinesthetic information collected directly through sensors or inputted manually into apps by consumers. The Smartwatch Data Act would treat all health data collected through apps, wearable devices, and trackers as protected health information.

There have been calls for HIPAA to be extended to cover app developers and wearable device manufacturers that collect, store, maintain, process, or transmit consumer health information. The Smartwatch Data Act does not extend HIPAA to cover these companies, instead the legislation applies to the data itself. The bill proposes the HHS’ Office for Civil Rights, the main enforcer of compliance with HIPAA, would also be responsible for enforcing compliance with the Smartwatch Data Act. The penalties for noncompliance with the Smartwatch Data Act would be the same as the penalties for HIPAA violations.

“The introduction of technology to our healthcare system in the form of apps and wearable health devices has brought up a number of important questions regarding data collection and privacy,” said Sen. Rosen “This commonsense, bipartisan legislation will extend existing health care privacy protections to personal health data collected by apps and wearables, preventing this data from being sold or used commercially without the consumer’s consent.”

The legislation was introduced following the news that Google has partnered with Ascension, the second largest healthcare provider in the United States, and has been given access to the health information of 50 million Americans. That partnership has raised a number of questions about the privacy of health information.

The Ascension data passed to Google is covered by HIPAA, but currently fitness tracker data is not. Google intends to acquire fitness tracker manufacturer Fitbit in 2020 and concern has been raised about how Google will use personal health data collected through Fitbit devices. The Smartwatch Data Act would help to ensure that consumers are given a say in how their health data is used.

The post Smartwatch Data Act Introduced to Improve Privacy Protections for Consumer Health Data appeared first on HIPAA Journal.

House Committee Leaders Demand Answers from Google and Ascension on Project Nightingale Partnership

Posted by HIPAA Journal

Leaders of the House Committee on Energy and Commerce are seeking answers from Google and Ascension on Project Nightingale. The Department of Health and Human Services’ Office for Civil Rights has also confirmed that an investigation has been launched to determine if HIPAA Rules have been followed.

The collaboration between Google and Ascension was revealed to the public last week. The Wall Street Journal reported that Ascension was transferring millions of patient health records to Google as part of an initiative called Project Nightingale.

A whistleblower at Google had contacted the WSJ to raise concerns about patient privacy. A variety of internal documents were shared with reporters on the extent of the partnership and the number of Google employees who had access to Ascension patients’ data. Under the partnership, the records of approximately 50 million patients will be provided to Google, 10 million of which have already been transferred.

According to the WSJ report, 150 Google employees are involved with the project and have access to patient data. The whistleblower stated that those individuals are able to access and download sensitive patient information and that patients had not been informed about the transfer of their data in advance. Understandably, the partnership has raised concerns about patient privacy.

Both Google and Ascension released statements about the partnership after the WSJ story was published, confirming that Google was acting as a business associate of Ascension, had signed a business associate agreement, and that it was in full compliance with HIPAA regulations. Under the terms of the BAA, which has not been made public, Google is permitted access to patient data in order to perform services on behalf of Ascension for the purpose of treatment, payment, and healthcare operations.

Google will be analyzing patient data and using its artificial intelligence and machine learning systems to develop tools to assist with the development of patient treatment plans. Google will also be helping Ascension modernize its infrastructure, electronic health record system, and improve collaboration and communication. Google has confirmed in a blog post that it is only permitted to use patient data for purposes outlined in the BAA and has stated that it will not be combining patient data with any consumer data it holds and that patient data will not be used for advertising purposes.

Democratic leaders of the House Committee on Energy and Commerce wrote to Google and Ascension on November 18, 2019 requesting further information on the partnership. The inquiry is being led by House Energy Committee Chairman, Frank Pallone Jr. (D-New Jersey). The letters have also been signed by Chairwoman of the Subcommittee on Health, Anna Eshoo (D-California), Subcommittee on Consumer Protection and Commerce Chair, Jan Schakowsky (D-Illinois), and Subcommittee on Oversight and Investigations Chair, Diana DeGette (D-Colorado).

In the letters, the Committee leaders have requested information on the “disturbing initiative” known as Project Nightingale.

“While we appreciate your efforts to provide the public with further information about Project Nightingale, this initiative raises serious privacy concerns. For example, longstanding questions related to Google’s commitment to protecting the privacy of its own users’ data raise serious concerns about whether Google can be a good steward of patients’ protected health information.”

Ascension’s decision not to inform patients prior to the transfer of protected health information has also raised privacy concerns, as has the number of Google employees given access to the data. Further, employees of Google’s parent company Alphabet also have access to Ascension data.

The Committee leaders have requested a briefing by no later than December 6, 2019 about the types of data being used, including the data being fed into its artificial intelligence tools, and the extent to which Google and Alphabet employees have access to the data. The Committee leaders also want to know what steps have been taken to protect patient information and the extent to which patients have been informed.

The Department of Health and Human Services’ Office for Civil Rights has also confirmed that it has launched an investigation into the partnership. Its investigation is primarily focused on how data is being transferred, the protections put in place to safeguard the confidentiality, integrity, and availability of protected health information, and whether HIPAA Rules are being followed. Google has stated it will be cooperating fully with the OCR investigation.

The post House Committee Leaders Demand Answers from Google and Ascension on Project Nightingale Partnership appeared first on HIPAA Journal.

TigerConnect Survey Finds 89% of Healthcare Providers Still Use Fax Machines and 39% are Still Using Pagers

Posted by HIPAA Journal

TigerConnect has released its 2019 State of Healthcare Communications Report, which shows that continuing reliance on decades-old, inefficient communications technology is negatively impacting patients and is contributing to the increasing cost of healthcare provision.

For the report, TigerConnect surveyed more than 2,000 patients and 200 healthcare employees to assess the current state of communications in healthcare and gain insights into areas where communication inefficiencies are causing problems.

The responses clearly show that communication in healthcare is broken. 52% of healthcare organizations are experiencing communication disconnects that impact patients on a daily basis or several times a week. Those communication inefficiencies are proving frustrating for healthcare employees and patients alike.

The report reveals most hospitals are still heavily reliant on communications technology from the 1970s. 89% of hospitals still use faxes and 39% are still using pagers in some departments, roles, or even across the entire organization. The world may have moved on, but healthcare hasn’t, even though healthcare is the industry that stands to benefit most from the adoption of mobile technology.

The HHS’ Centers for Medicaid and Medicare Services (CMS) is pushing for fax machines to be eliminated by the end of 2020 and for healthcare organizations to instead use more secure, reliable, and efficient communications methods. Given the extensive use of fax machines, that target may be difficult to achieve.

“Adoption of modern communication solutions has occurred in every other industry but healthcare,” said Brad Brooks, chief executive officer and co-founder of TigerConnect. “Despite the fact that quality healthcare is vital to the well-being and functioning of a society, the shocking lack of communication innovation comes at a steep price, resulting in chronic delays, increased operational costs that are often passed down to the public, preventable medical errors, physician burnout, and in the worst cases, can even lead to death.”

The cost of communication inefficiencies in healthcare is considerable. According to NCBI, a 500-bed hospital loses more than $4 million each year as a result of communication inefficiencies and communication errors are the root cause of 70% of all medical error deaths.

The communication problems are certainly felt by healthcare employees, who waste valuable time battling with inefficient systems. The report reveals 55% of healthcare organizations believe the healthcare industry is behind the times in terms of communication technology compared to other consumer industries.

One of the main issues faced by healthcare professionals is not being able to get in touch with members of the care team when they need to. 39% of healthcare professionals said it was difficult or very difficult communicating with one or more groups of care team members.

Fast communication is critical for providing high quality care to patients and improvements are being made, albeit slowly. Secure messaging is now the primary method of communication overall for nurses (45%) and physicians (39%), although landlines are the main form of communication for allied health professionals (32%) and staff outside hospitals (37%), even though secure messaging platforms can be used by all groups in all locations.

Even though there is an increasing mobile workforce in healthcare, healthcare organizations are still heavily reliant on landlines. Landlines are still the top method of communication when secure messaging is not available. Landlines are also used 25% of the time at organizations that have implemented secure messaging.

Healthcare organizations that have taken steps to improve communication and have implemented secure messaging platforms are failing to get the full benefits of the technology. All too often, secure messaging technology is implemented in silos, with different groups using different methods and tools to communicate with each other. When secure messaging is not used, such as when the platform is only used by certain roles, communication is much more difficult.

The communications problems are also felt by patients. Nearly three quarters (74%) of surveyed patients who had spent at least some time in hospital in the past two years, either receiving treatment or visiting an immediate family member, said they were frustrated by inefficient processes.

The most common complaints were slow discharge/transfer times (31%), ED time with doctors (22%), long waiting room times (22%), the ability to communicate with a doctor (22%), and the length of time it takes to get lab test results back (15%). Many of these issues could be eased through improved communication between members of the care team. The survey also revealed hospital staff tend to underestimate the level of frustration that patients experience.

Communication problems play a large part in the bottlenecks that often occur in healthcare. Communication problems were cited as causing delayed discharges (50%), consult delays (40%), long ED wait times (38%), transport delays (33%) and slow inter-facility transfers (30%). There is a 50% greater chance of daily communication disconnects negatively impacting patients when secure messaging is not used.

Hospitals that communicate with patients by SMS/text or messaging apps are far more likely to rate their communication methods as effective or extremely effective. 75% of hospitals that use text/SMS and 73% that use messaging apps rate communication with patients as effective or very effective, compared to 62% that primarily use the telephone and 53% whose primary method of communicating with patients is patient portals. The survey also showed that only 20% of patients want to communicate via patient portals.

It has been established that secure messaging can improve communication and the quality of healthcare delivery, but healthcare communication is often not a strategic priority. 69% of surveyed healthcare professionals that are not using a secure messaging platform said this was due to budget constraints, 38% said money was spent on other IT priorities, and 34% cited concerns about patient data security, even though secure messaging platforms offer afar greater security than legacy communications systems.

TigerConnect has made several recommendations on how communication in healthcare needs to be improved.

  • Prioritize communication as a strategy
  • Focus on improving communication to ease major bottlenecks
  • Integrate communication platforms with EHRs to get the greatest value
  • Standardize communication across the entire organization
  • Include clinical leadership in solution design
  • Stop using patient portals to communicate with patients and start using patient messaging in the overall communication strategy.

The survey provides valuable insights into the state of communication in healthcare and clearly shows where improvements need to be made. The full TigerConnect 2019 State of Communication in Healthcare Report is available free of charge on this link (registration required).

The post TigerConnect Survey Finds 89% of Healthcare Providers Still Use Fax Machines and 39% are Still Using Pagers appeared first on HIPAA Journal.

NIST Releases Final Big Data Interoperability Framework

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) has released its final Big Data Interoperability Framework (NBDIF) to help with the creation of data analysis software tools that can run on any computing platform and be easily moved from one computing platform to another.

NBDIF is the culmination of several years of work and collaboration with more than 800 experts from the government, academia, and private sector. The final document is divided into nine volumes covering big data definitions and taxonomies, use case & requirements, privacy and security, reference architecture, roadmap standards, a reference architecture interface, and modernization and adoption.

The main purpose of NBDIF is to guide developers on the creation and deployment of widely useful tools for big data analysis that can be used on different computing platforms; from a single laptop computer to multi-node cloud-based environments. Developers need to create their big data analysis tools to allow them to easily be moved from one platform to another and allow data analysts to be able to switch to more advanced algorithms without having to retool their computer environments.

The framework can be used by developers to create an agnostic environment for big data analysis tool development so that their tools will allow data analysts’ results to flow interruptedly, even if their goals change and technology advances.

“The framework fills a long-standing need among data scientists, who are asked to extract meaning from ever-larger and more varied datasets while navigating a shifting technology ecosystem,” explained NIST.

The volume of data available for analysis has grown considerably in recent years. Data is now collected from a vast range of devices, including a myriad of sensors connected to the internet of things. Globally, several years ago around 2.5 exabytes (billion billion bytes) of data was being generated each day. By 2025, global data generation has been predicted to reach 463 exabytes a day.

Data scientists can use vast datasets to gain valuable insights and big data analysis tools can allow them to scale up their analyses from single laptop setups to distributed cloud-based environments that operate across several nodes and analyze huge volumes of data.

In order to do that, data analysts may need to rebuild their tools from scratch and use different computer languages and algorithms to enable them to be used on different platforms. Use of the framework will improve interoperability and significantly reduce the burden on data analysts.

The final version of the framework includes consensus definitions and taxonomies to ensure developers are on the same page when discussing plans for new analysis tools, along with data privacy and security requirements, and a reference architecture interface specification to guide deployment of their tools.

“The reference architecture interface specification will enable vendors to build flexible environments that any tool can operate in,” said NIST data scientist, Wo Chang. “Before, there was no specification on how to create interoperable solutions. Now they will know how.”

These big data analysis tools have many potential uses, such as in drug discovery where scientists must analyze the behavior of several candidate drug proteins in one round of tests, then feed that data into the next round.  The ability to make changes easily will help to speed up the analyses and reduce drug development costs. NIST also suggests that the tools could help analysts identify health fraud more easily.

“Performing analytics with the newest machine learning and AI techniques while still employing older statistical methods will all be possible,” said Chang. “Any of these approaches will work. The reference architecture will let you choose.”

The post NIST Releases Final Big Data Interoperability Framework appeared first on HIPAA Journal.

Atlantic.Net Recognized in Gartner 2019 Market Guide for Cloud Service Providers to Healthcare Delivery Organizations

Posted by HIPAA Journal

Gartner has published its 2019 Market Guide for Cloud Service Providers to Healthcare Delivery Organizations (HDOs). The report contains an analysis of the healthcare cloud market and explains how the cloud can be a viable option for healthcare organizations seeking greater efficiency and flexibility than is achievable with traditional on-premises infrastructure.

Many healthcare organizations are now realizing the value of cloud-based solutions and how intelligent use of the cloud can help improve efficiency, eliminate waste, and drive down the cost of healthcare delivery. The industry may lag behind other sectors in terms of cloud adoption, but the landscape is changing fast as the healthcare cloud market matures.

Healthcare CIOs are now viewing the cloud as an extension of their internal infrastructure. While initially there was a great deal of skepticism about the cloud due to the security risks and potential for costs to spiral out of control, there is now widespread acceptance that the cloud can serve as an IT service delivery model and the healthcare industry is now much more accepting of the cloud. There are tangible benefits to be gained from adopting cloud-based infrastructure and cloud services, HIPAA regulations can be satisfied, and associated risks can be reduced to a low and acceptable level.

Gartner has responded to the growth in cloud adoption in healthcare by producing a market guide for HDOs. The guide defines and describes the market, analyzes the direction the market is taking, and details the most notable vendors that are helping HDOs transition to the cloud.

Gartner has divided the market into four tiers to help healthcare organizations differentiate cloud companies and their offerings. The top tier naturally includes the large cloud service providers (CSPs) such as Amazon (AWS), Microsoft (Azure), IBM (IBM Cloud) and Google (Google Cloud). The second tier contains smaller CSPs that offer more specialist solutions for the healthcare industry such as Healthcare Blocks and Virtustream.

The third tier consists of vertical market players that offer hosting for electronic health records. In this tier are hosting companies such as Atlantic.Net that provide secure, HIPAA-compliant hosting services for electronic health records to allow EHRs to be accessed from any location in real-time, along with HIPAA-compliant hosting for databases, websites, and cloud-based storage services.

In the final tier are platform-as-a-service providers. These are integrated delivery networks that have developed their own cloud-based products for internal use and are now selling those products to other healthcare systems to use under license. Companies such as UK Cloud Health for example.

This is the second year that the Market Guide for Cloud Service Providers to HDOs has been produced and the second time that Atlantic.Net has been named in the market guide.

“We are honored to be named in this report, which we believe further solidifies our standing within distinguished security and compliance service providers,” said Marty Puranik, CEO of Atlantic.Net. “I attribute this success to our team members and skilled engineers, who strive to deliver technological solutions with a human touch.”

Gartner’s 2019 Market Guide for Cloud Service Providers to Healthcare Delivery Organizations can be downloaded hereSubscription required.

The post Atlantic.Net Recognized in Gartner 2019 Market Guide for Cloud Service Providers to Healthcare Delivery Organizations appeared first on HIPAA Journal.

400 Million Medical Images Are Freely Accessible Online Via Unsecured PACS

Posted by HIPAA Journal

A recent investigation by ProPublica, the German public broadcaster Bayerischer Rundfunk, and vulnerability and analysis firm, Greenbone Networks, has revealed 24.3 million medical images in medical image storage systems are freely accessible online and require no authentication to view or download the images.

Those images, which include X-rays, MRI, and CT scans, are stored in picture archiving and communications systems (PACS) connected to the Internet.

Greenbone Networks audited 2,300 Internet-connected PACS between July and September 2019 and set up a RadiAnt DICOM Viewer to access the images stored on open PACS servers.

Those servers were found to contain approximately 733 million medical images of which 399.5 million could be viewed and downloaded. The researchers found 590 servers required no authentication whatsoever to view medical images.

PACS use the digital imaging and communications in medicine (DICOM) standard to view, process, store, and transmit the images. In most cases, a DICOM viewer would be required to access the images, but in some cases, all that is required is a web browser or a few lines of code. Anyone with rudimentary computer expertise would be able to view and download the images.

The exposed PACS were located in 52 countries and the highest concentration of unprotected PACS were found in the United States. 187 unsecured servers were found in the United States. The exposed U.S. PACS contained 13.7 million data sets and 303.1 million medical images of around 5 million U.S. patients.

The researchers found more than 10,000 security issues on the audited systems, 20% of which were high-severity and 500 were critical and had a CVSS v3 score of 10 out of 10.

The images included personal and medical information such as patients’ names, dates of birth, scan date, scope of the investigation, type of imaging procedure performed, institute name, attending physicians’ names, and the number of generated images. Some of the images also contained Social Security numbers.

The types of patient information included on the images could be used for identity theft, medical identity theft, and insurance fraud. The data could also be used to extort money from patients or create highly convincing spear phishing emails.

While the investigation uncovered no evidence to suggest any of the exposed information had been copied and published online, the possibility of data theft could not be discounted.

PACS are designed to allow images to be accessed easily by healthcare professionals, but the systems often lack security controls to restrict access. It is the responsibility of healthcare delivery organizations (HDOs) to ensure safeguards are implemented to secure their PACS, but HDOs can face major challenges addressing vulnerabilities and securing their systems without negatively impacting workflows.

To help address the problem, the National Cybersecurity Center of Excellence (NCCoE) recently released new guidance for HDOs to help them improve security controls on PACS and mitigate risks without negatively impacting user productivity and system performance.

The post 400 Million Medical Images Are Freely Accessible Online Via Unsecured PACS appeared first on HIPAA Journal.

Mobile Device Security Guidance for Corporate-Owned Personally Enabled Devices Issued by NCCoE

Posted by HIPAA Journal

The National Cybersecurity Center of Excellence (NCCoE) has issued new draft NIST mobile device security guidance to help organizations mitigate the risks introduced by corporate-owned personally enabled (COPE) devices.

Mobile devices allow employees to access resources essential for their work duties, no matter where those individuals are located. As such, the devices allow organizations to improve efficiency and productivity, but the devices bring unique threats to an organization.

The devices typically have an always-on Internet connection and the devices often lack the robust security controls that are applied to devices such as desktop computers. Malicious or risky apps can be downloaded to mobile devices by users without the knowledge or authorization of the IT department. App downloads could introduce malware and app permissions could allow unauthorized access to sensitive data.

Organizations therefore need to have total visibility into all mobile devices used by employees for work activities and they must ensure that mobile device security risks are effectively mitigated. If not, vulnerabilities could be exploited by threat actors to gain access to sensitive data and network resources.

The aim of the new guidance – (NIST) Special Publication 1800-21 – is to help organizations identify and address risks and improve mobile device security to reduce the likelihood of unauthorized device access and data loss and theft.

The guidance includes how-to guides and an example solution developed in a lab environment using commercially available mobile management tools which can be used by enterprises to secure their Apple iOS and Android devices and networks while minimizing the impact on operational processes.

The guidance was developed by NIST and technology partners Kryptowire, Lookout, Appthority, MobileIron, Palo Alto Networks, and Qualcomm and is available for downloaded from NCCoE on this link (PDF – 14.5MB). Comments are being accepted until September 23, 2019.

Further guidance on mobile device security for Bring Your Own Device (BYOD) is currently under development.

The post Mobile Device Security Guidance for Corporate-Owned Personally Enabled Devices Issued by NCCoE appeared first on HIPAA Journal.

Vulnerability Identified in Becton Dickinson Pyxis Drug Dispensing Cabinets

Posted by HIPAA Journal

Becton Dickinson (BD) has discovered a vulnerability in its Pyxis drug dispensing cabinets which could allow an unauthorized individual to use expired credentials to access patient data and medications.

The vulnerability was discovered by BD, which self-reported the flaw to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). ICS-CERT has recently issued an advisory about the flaw.

The vulnerability affects Pyxis ES versions 1.3.4 to 1.6.1 and Pyxis Enterprise Server with Windows Server versions 4.4 through 4.12.

The vulnerability – tracked as CVE-2019-13517 – is a session fixation flaw in which existing access privileges are not properly coordinated with the expiration of access when a vulnerable device is joined to an Active Directory (AD) domain.

This means the credentials of a previously authenticated user could be used to gain access to a vulnerable device under certain configurations. This would allow an attacker to obtain the same level of privileges as the user whose credentials are being used, which could give access to patient information and medications. Healthcare providers that do not use AD with the devices are unaffected.

The vulnerability has been assigned a CVSS V3 base score of 7.6 out of 10. ICS-CERT warns that the vulnerability is remotely exploitable and requires a low level of skill to exploit; however, BD notes that connecting the drug cabinets to hospital domains is an uncommon configuration and is not recommended by BD. Consequently, only a limited number of hospitals that use the drug carts will be affected.

The flaw has been addressed in the latest software release, v 1.6.1.1, which removes access to the file-sharing part of the Pyxis network.

Affected healthcare providers have been recommended to implement the following mitigations to reduce the risk associated with the vulnerability:

  • Never rely on expiration dates to remove users from the hospital’s Active Directory system
  • Remove users from the AD role that grants them access to the Pyxis ES system
  • Never place Pyxis ES systems on the hospital domain

BD is unaware of any cases where the vulnerability has been exploited to view data without authorization.

The post Vulnerability Identified in Becton Dickinson Pyxis Drug Dispensing Cabinets appeared first on HIPAA Journal.